RU EN

Personal Data Processing Policy

General provisions

The policy of personal data processing in (hereinafter - the Policy) defines the basic principles, goals, conditions and methods of processing personal data, lists of subjects and personal data processed by I-Novus LLC, functions of I-Novus LLC in processing personal data, rights subjects of personal data, as well as the requirements for personal data protection implemented in I-Novus LLC.

The policy was developed taking into account the requirements of the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation in the field of personal data.

The provisions of the Policy serve as the basis for the development of local regulations governing I-Novus LLC regarding the processing of personal data of I-Novus LLC employees and other personal data subjects.

Legislative and other regulatory legal acts of the Russian Federation, in accordance with which the Policy of personal data processing in  I-Novus LLC is determined

The policy of processing personal data in I-Novus LLC is determined in accordance with the following regulatory legal acts:

  • Labor Code of the Russian Federation;
  • Federal Law of July 27, 2006 № 152-ФЗ «On Personal Data»;
  • Decree of the President of the Russian Federation of March 6, 1997 № 188 «On Approving the List of Confidential Information”;
  • Decree of the Government of the Russian Federation of September 15, 2008 № 687 «On Approval of the Regulation on Peculiarities of Processing Personal Data Performed Without Using Automation Tools»;
  • Decree of the Government of the Russian Federation of November 1, 2012 № 1119 «On approval of requirements for the protection of personal data when they are processed in personal data information systems»;
  • Order of the FSTEC of Russia dated February 18, 2013 № 21 «On approval of the composition and content of organizational and technical measures to ensure the security of personal data when they are processed in personal data information systems»;
  • Order of Roskomnadzor dated September 5, 2013 №. 996 «On approval of requirements and methods for depersonalization of personal data»;
  • Other regulatory legal acts of the Russian Federation and regulatory documents of authorized state bodies.

In order to implement the provisions of the Policy, I-Novus LLC develops relevant local regulatory acts and other documents, including:

  • the provision on the processing of personal data in I-Novus LLC;
  • other local regulations and documents regulating personal data processing issues at I-Novus LLC.

The basic terms and definitions used in the local regulatory acts of I-Novus LLCgoverning the processing of personal data.

Personal data - any information relating directly or indirectly to a specific or designated individual (subject of personal data).

Information - information (messages, data) regardless of the form of their presentation.

Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

Personal data processing - any action (operation) or set of actions (operations) performed with the use of automation tools or without using such tools with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data - processing of personal data using computer technology.

Provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons.

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.

Cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.

Blocking of personal data - a temporary cessation of the processing of personal data (except in cases where the processing is necessary to clarify personal data).

The destruction of personal data is an action, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the material carriers of personal data are destroyed.

Anonymization of personal data is an action in which it becomes impossible without the use of additional information to determine the identity of personal data to a specific subject of personal data.

Personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing.

 

Principles and objectives for the processing of personal data

I-Novus LLC, being an operator of personal data, processes personal data of employees of I-Novus LLC and other personal data subjects who are not in employment relationships with Ai-Novus LLC.

The processing of personal data in I-Novus LLC is carried out taking into account the need to protect the rights and freedoms of employees of I-Novus LLC and other personal data subjects, including the protection of the right to privacy, personal and family secrets, based on the following principles:

  • personal data processing is carried out in I-Novus LLC on a legal and fair basis;
  • the processing of personal data is limited to the achievement of specific, predetermined and legitimate goals;
  • processing of personal data that is incompatible with the purposes of collecting personal data is not allowed;
  • it is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other;
  • only personal data that meets the purposes of their processing are subject to processing;
  • the content and volume of personal data processed is consistent with the stated processing objectives. The redundancy of the processed personal data in relation to the stated purposes of their processing is not allowed;
  • the processing of personal data ensures the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data. I-Novus LLC takes the necessary measures or ensures their adoption to remove or clarify incomplete or inaccurate personal data;
  • personal data is stored in a form that allows determining the subject of personal data no longer than the purpose of processing personal data requires, unless the period for storing personal data is established by federal law, a contract to which the beneficiary or guarantor is personal data subject;
  • the personal data processed is destroyed or depersonalized upon reaching the processing objectives or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

Personal data is processed in I-Novus LLC in order to:

  • ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, local regulatory acts of I-Novus LLC;
  • implementation of functions, powers and responsibilities assigned by the legislation of the Russian Federation to I-Novus LLC, including the provision of personal data to state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund , as well as to other government agencies;
  • regulation of labor relations with employees of I-Novus LLC (employment assistance, training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property);
  • providing employees of I-Novus LLC and their family members with additional guarantees and compensations, including non-state pension benefits, voluntary medical insurance, medical care and other types of social security;
  • protection of life, health or other vital interests of personal data subjects;
  • preparation, conclusion, execution and termination of contracts with counterparties;
  • provision of access control and intra-object regimes at the facilities of I-Novus LLC;
  • formation of reference materials for internal information support of the activities of I-Novus LLC, its branches, representative offices, and separate subdivisions;
  • execution of judicial acts, acts of other bodies or officials, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
  • implementation of the rights and legitimate interests of I-Novus LLC in the framework of the implementation of activities stipulated by the Charter and other local regulatory acts of I-Novus LLC, or third parties, or the achievement of socially significant goals;
  • for other legitimate purposes.

The list of subjects whose personal data are processed in I-Novus LLC.

I-Novus LLC processes personal data of the following categories of subjects:

  • employees of I-Novus LLC,
  • other subjects of personal data (to ensure the implementation of the processing objectives specified in section 4 of the Policy).

The list of personal data processed by I-Novus LLC.

The list of personal data processed by I-Novus LLC is determined in accordance with the legislation of the Russian Federation and local regulations of I-Novus LLC, taking into account the purposes of processing personal data specified in section 4 of the Policy.

The processing of special categories of personal data relating to race, nationality, political views, religious or philosophical convictions, intimate life, is not carried out in I-Novus LLC.

Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which are used by an employer to identify an employee, can be processed only with the consent in writing.

 

Functions of Ay-Novus LLC in the processing of personal data

I-Novus LLC in the processing of personal data:

  • takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation and local regulations of I-Novus LLC in the field of personal data;
  • takes legal, organizational and technical measures to protect personal data from unlawful or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
  • appoints the person responsible for organizing the processing of personal data in I-Novus LLC;
  • publishes local regulations that determine the policy and issues of processing and protection of personal data in I-Novus LLC;
  • provides employees of I-Novus LLC directly engaged in the processing of personal data with the provisions of the legislation of the Russian Federation and local regulations of I-Novus LLC in the field of personal data, including requirements for the protection of personal data, and training of these employees;
  • publishes or otherwise provides unrestricted access to this Policy;
  • informs the subjects of personal data or their representatives about the availability of personal data related to the respective subjects in the prescribed manner, provides an opportunity to familiarize themselves with this personal data when accessing and (or) receiving requests from specified personal data subjects or their representatives, unless otherwise provided by the legislation of the Russian Federation;
  • stops processing and destroys personal data in cases provided for by the legislation of the Russian Federation in the field of personal data;
  • performs other actions stipulated by the legislation of the Russian Federation in the field of personal data.

Conditions for processing personal data in I-Novus LLC

The processing of personal data in I-Novus LLC is carried out with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by the legislation of the Russian Federation in the field of personal data.

I-Novus LLC without the consent of the subject of personal data does not disclose to third parties and does not distribute personal data, unless otherwise provided by federal law.

I-Novus LLC has the right to entrust the processing of personal data to another person with the consent of the subject of personal data on the basis of a contract concluded with this person. The contract should contain a list of actions (operations) with personal data that will be performed by the person performing personal data processing, processing purposes, the obligation of such person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of personal data being processed accordance with Article 19 of the Federal Law «On Personal Data»;.

For the purpose of internal information support, I-Novus LLC may create internal reference materials which, with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Russian Federation, may include his last name, first name, patronymic, place of work, position, subscriber number , e-mail address, other personal data communicated by the subject of personal data.

Access to personal data processed by I-Novus LLC is allowed only to I-Novus LLC employees holding positions included in the list of I-Novus LLC posts, for which they process personal data.

The list of actions with personal data and methods for their processing

I-Novus LLC collects, records, systematizes, accumulates, stores, refines (updates, changes), retrieves, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes and destroys personal data.

The processing of personal data in I-Novus LLC is carried out in the following ways:

  • manual processing of personal data;
  • automated processing of personal data with or without transferring the information received through information and telecommunication networks;
  • mixed processing of personal data.

Rights of personal data subjects

The personal data subjects are entitled to:

  • complete information about their personal data processed by I-Novus LLC;
  • access to their personal data, including the right to receive a copy of any record containing their personal data, with the exception of cases provided for by federal law, as well as access to relevant medical data with the help of a medical specialist of their choice;
  • clarification of their personal data, their blocking or destruction if personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
  • withdrawal of consent to the processing of personal data;
  • taking measures provided by law to protect their rights;
  • appeal against the actions or omissions of I-Novus LLC, carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data, to an authorized body for the protection of the rights of personal data subjects or to court
  • the exercise of other rights provided for by the legislation of the Russian Federation.
     

Measures taken by I-Novus LLC to ensure the performance of operator duties in the processing of personal data.

Measures that are necessary and sufficient to ensure the fulfillment of I-Novus LLC by the operator’s obligations under the legislation of the Russian Federation in the field of personal data include:

  • appointment of a person responsible for organizing the processing of personal data in I-Novus LLC;
  • adoption of local regulations and other documents in the field of processing and protection of personal data;
  • organization of training and carrying out methodological work with employees of structural subdivisions of I-Novus LLC occupying positions included in the list of posts of structural subdivisions of I-Novus LLC, when replacing which personal information is processed;
  • obtaining the consent of the subjects of personal data to the processing of their personal data, except in cases provided for by the legislation of the Russian Federation;
  • the separation of personal data processed without the use of automation, from other information, in particular by recording them on separate material media of personal data, in special sections;
  • provision of separate storage of personal data and their material carriers, which are processed for different purposes and which contain different categories of personal data;
  • imposing a ban on the transfer of personal data through open communication channels, computer networks outside the controlled area and the Internet without applying measures to ensure the security of personal data (with the exception of public and (or) impersonal personal data) established in I-Novus LLC;
  • storage of material carriers of personal data in compliance with conditions that ensure the safety of personal data and exclude unauthorized access to them;
  • implementation of internal control over the compliance of personal data processing with the Federal Law «On Personal Data» and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, this Policy, local regulatory acts of I-Novus LLC;
  • other measures stipulated by the legislation of the Russian Federation in the field of personal data.

Measures to ensure the security of personal data when they are processed in personal data information systems are established in accordance with the local regulations of I-Novus LLC governing the security of personal data when they are processed in the personal data information systems of I-Novus LLC.

Monitoring compliance with the laws of the Russian Federation and local regulations of I-Novus LLC in the field of personal data, including requirements for the protection of personal data.

12.1. Monitoring of the observance by the structural subdivisions of I-Novus LLC of the legislation of the Russian Federation and the local regulations of I-Novus LLC in the field of personal data, including requirements for the protection of personal data, is carried out in order to verify the compliance of the processing of personal data in the structural units of I-Novus LLC, the legislation of the Russian Federation and local regulations of I-Novus LLC in the field of personal data, including requirements for the protection of personal data, as well as yatyh measures aimed at preventing and detecting violations of Russian legislation in the field of personal data, detection of possible leakage channels and unauthorized access to personal data, the consequences of such violations.

12.2. Internal control over the observance by the structural subdivisions of I-Novus LLC of the legislation of the Russian Federation and local regulations of I-Novus LLC in the field of personal data, including requirements for the protection of personal data, is carried out by the person responsible for organizing the processing of personal data in I-Novus LLC.

12.3. Internal control over the compliance of personal data processing with the Federal Law «On Personal Data» and the regulatory legal acts adopted in accordance with it, the requirements for the protection of personal data, this Policy, local regulatory acts of I-Novus LLC are exercised by the Personnel Management Apparatus of I-Novus LLC.

12.4. Personal responsibility for compliance with the requirements of the legislation of the Russian Federation and local regulations of I-Novus LLC in the field of personal data in I-Novus LLC, as well as for ensuring the confidentiality and security of personal data in I-Novus LLC, rests with the General Director .